- The U.S. needs a national cyber executive at the National Security Council to set national policy, says Phil Quade, CISO at Fortinet and a former NSA executive.
- The executive would ratchet-up help in protecting U.S. critical infrastructure, particularly in the energy, transportation, water and critical manufacturing sectors.
- He or she would steadily advance strategic national supply chain security policy.
In the national security community, when transitioning among new global and tactical threats, we sometimes referred to the challenge as "changing the engine while in flight." In recent years, that focus was on constraining global terrorist operations and tamping-down regional hot wars. But it continues to be reported that foreign cyber warriors, from Russia, China, Iran, North Korea and elsewhere, continue to rob us of strategic intellectual property, cost incalculable hours of lost productivity, and undermined our faith in both critical infrastructures and information assets.
According to Cybersecurity Ventures, direct damages are projected to cost the global economy $6 trillion (6.3%) annually by 2021, and cybercrime is a colossal barrier to digital trust. That's wealth and opportunity taken from the grasp of the world's cybercitizens and important global initiatives. We are now at an inflection point, and it's time for our nation to retool its cybersecurity policy and strategy. The new administration has the opportunity — a responsibility — to make this a centerpiece of its national security and economic policy.
It starts by setting the tone at the top with leadership. The U.S. needs a national cyber executive at the National Security Council (NSC) to define national policy and policy implementation guidance, using objective metrics.
Regarding tone, he or she should help change the "blame the victim" culture, instead rallying around organizations hacked by organized malicious groups. The executive should work closely with the private sector — which runs most of the nation's cyber-dependent platforms, such as telecommunications, manufacturing, health care, etc. — to provide it with insights on foreign malicious actions against domestic organizations, while getting private sector counsel on the realities of commercial practices to inform public policy.
Our nation had a cybersecurity coordinator on the NSC during the Bush and Obama administrations — a post central to developing policy to defend against increasingly sophisticated digital attacks and the use of offensive cyber weapons. In 2018 that position was eliminated. At the time, national security adviser John R. Bolton said the post was no longer considered necessary because lower-level officials had already made cybersecurity issues a "core function" of the president's national security team. Now it's time for President-elect Biden to fill that position again.
For starters, the new cybersecurity executive would ratchet-up help in protecting U.S. critical infrastructure, particularly in the energy (including electricity, dams, oil & gas, nuclear), transportation, water and critical manufacturing sectors. They remain top targets of determined adversaries, and many of those infrastructures are run by companies or local governments that can't be expected to endure attacks by deep-pocketed foreign countries.
Second, he or she would steadily advance strategic national supply chain security policy, putting in motion long-term approaches to ensure the integrity of critical manufacturing of chips, pharmaceuticals and highly-automated assembly operations. Importantly, supply chain policy must be formed with private sector input, since policy that is unhinged from the realities of commercial practices will fail. And he/she needs to create policy implementation guidance so that supply chain policy is applied consistently across organizations.
Third, partner with the leaders of other national initiatives, such as pandemic response, anti-disinformation, and global warming, to identify how cybersecurity can enable their execution and improve our world at large. Cybersecurity can help establish ground-truth on these complex and important issues, ensuring authenticity, sourcing, integrity, and integration of the information needed to inform decision-making and build consensus.
But for policy change to happen, specific domestic and international strategies need to be put in place.
Developing an effective cybersecurity policy
Internationally, America needs to push for the still-elusive international norms of behavior in cyberspace, drawing clear red lines against attacks on critical infrastructure and theft of commercial IP, addressing systematically uncooperative governments. This will establish clear U.S. policy on malicious cyber activity and repercussions for attacks on domestic assets.
Nationally, we need to adopt new ways of thinking about cyber deterrence. Cyber deterrence policy is overly influenced by the nuclear deterrence strategy of "mutual assured destruction" (where powerful weapons aren't used, being recognized as against everyone's interest). But that's inadequate, as evidenced by continued critical infrastructure attacks and strategic IP theft. Cyber deterrence needs more facets — "non-nuclear" options that we're willing to use regularly — such as tactical operations, economic, political, diplomatic, and legal measures and even pointed public shaming.
And deterrence strategy must be perceived as being especially resilient to a cyberattack so that an adversary is less motivated to launch one.
Within the government, leverage a critical mass of U.S. government expertise across key agencies such as the National Security Agency, Department of Energy, and perhaps Department of Homeland Security, to offer 'cybersecurity-as-a-service', where cybersecurity services are offered on a fee-for-services basis (with all departments still being accountable for their own cybersecurity).
The cybersecurity executive should also champion commercial capabilities, especially highly automated and integrated ones, resisting the temptation of government-developed cybersecurity solutions that have short shelf-lives and are difficult to transition away from.
And that leaves us with the need for a strategy that impacts each of us locally. A cyber strategy would not be complete without a new way to address the cybersecurity skills gap. Last year, in a book called The Digital Big Bang, some esteemed colleagues and I advocated for treating cybersecurity like a science; analogously, the skills gap problem can be greatly simplified by using the principles of economics — addressing both supply and demand.
On the supply side, we can do this by creating a larger cyber workforce pool through diversity, with a focus on "diversity of background," recruiting those looking to improve their economic standing. Not just the important, typical definition of diversity (sex, race), but a cybersecurity workforce of driven, non-computer science degreed people for entry-level jobs. We can also reinvigorate the personnel supply chain model by adopting the Middle Ages' guild model (apprentices, journeymen, masters) to grow talent within organizations by making cybersecurity training more accessible.
On the demand side, we can embrace automation and integration as core strategies, leveraging machines to drive down the requirement for more people. But the demand side of the equation isn't solved by technology alone: each of us — whether in the public or private sector — need to write job descriptions for non-computer science-degreed people, by defining specific jobs that leverage cybersecurity apprentices of the guild model.
Great feats require strategic capabilities, developed through national policy and strategy. Cybersecurity can make cyberspace a domain associated with opportunity, efficiency and trust.
—By Phil Quade, CISO at Fortinet, and former NSA executive involved in national cyber strategy and operations and a member of the CNBC Technology Executive Council.
Correction: According to Cybersecurity Ventures, direct damages from malicious activity online are projected to cost the global economy $6 trillion (6.3%) annually by 2021. An earlier version of this op-ed misidentified the data source.